console/deployment/utils/reverse-proxy.ts

import * as k8s from '@pulumi/kubernetes';
import { Output } from '@pulumi/pulumi';
import { ContourValues } from './contour.types';
import { helmChart } from './helm';

// prettier-ignore
export const CONTOUR_CHART = helmChart('https://charts.bitnami.com/bitnami', 'contour', '17.0.0');

export class Proxy {
  private lbService: Output<k8s.core.v1.Service> | null = null;

  constructor(
    private tlsSecretName: string,
    private staticIp?: { address?: string; aksReservedIpResourceGroup?: string },
  ) {}

  registerService(
    dns: { record: string; apex?: boolean },
    routes: {
      name: string;
      path: string;
      service: k8s.core.v1.Service;
      timeoutInSeconds?: number;
      retriable?: boolean;
      customRewrite?: string;
      virtualHost?: Output<string>;
      httpsUpstream?: boolean;
      withWwwDomain?: boolean;
    }[],
  ) {
    const cert = new k8s.apiextensions.CustomResource(`cert-${dns.record}`, {
      apiVersion: 'cert-manager.io/v1',
      kind: 'Certificate',
      metadata: {
        name: dns.record,
      },
      spec: {
        commonName: dns.record,
        dnsNames: [dns.record],
        issuerRef: {
          name: this.tlsSecretName,
          kind: 'ClusterIssuer',
        },
        secretName: dns.record,
      },
    });

    new k8s.apiextensions.CustomResource(
      `httpproxy-${dns.record}`,
      {
        apiVersion: 'projectcontour.io/v1',
        kind: 'HTTPProxy',
        metadata: {
          name: `ingress-${dns.record}`,
        },
        spec: {
          virtualhost: {
            fqdn: dns.record,
            tls: {
              secretName: dns.record,
            },
            corsPolicy: {
              allowOrigin: ['https://app.graphql-hive.com', 'https://graphql-hive.com'],
              allowMethods: ['GET', 'POST', 'OPTIONS'],
              allowHeaders: ['*'],
              exposeHeaders: ['*'],
            },
          },
          routes: routes.map(route => ({
            conditions: [
              {
                prefix: route.path,
              },
            ],
            services: [
              {
                name: route.service.metadata.name,
                port: route.service.spec.ports[0].port,
              },
            ],
            ...(route.path === '/'
              ? {}
              : {
                  pathRewritePolicy: {
                    replacePrefix: [
                      {
                        replacement: route.customRewrite || '/',
                      },
                    ],
                  },
                  ...(route.timeoutInSeconds
                    ? {
                        timeoutPolicy: {
                          response: `${route.timeoutInSeconds}s`,
                        },
                      }
                    : {}),
                  ...(route.retriable
                    ? {
                        retryPolicy: {
                          count: 2,
                          retryOn: ['reset', 'retriable-status-codes'],
                          retriableStatusCodes: [503],
                        },
                      }
                    : {}),
                }),
          })),
        },
      },
      {
        dependsOn: [cert, this.lbService!],
      },
    );

    return this;
  }

  deployProxy(options: {
    envoy: {
      replicas?: number;
      memory?: string;
      cpu?: string;
    };
  }) {
    const ns = new k8s.core.v1.Namespace('contour', {
      metadata: {
        name: 'contour',
      },
    });

    const chartValues: ContourValues = {
      configInline: {
        // https://projectcontour.io/docs/main/configuration/
        'accesslog-format': 'json',
        // https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage
        'json-fields': [
          '@timestamp',
          'bytes_received',
          'bytes_sent',
          'downstream_local_address',
          'duration',
          'method',
          'path',
          'request_id',
          'response_code',
          'response_flags',
          'upstream_cluster',
          'upstream_host',
          'upstream_service_time',
          'user_agent',
          'x_forwarded_for',
        ],
      },
      contour: {
        podAnnotations: {
          'prometheus.io/scrape': 'true',
          'prometheus.io/port': '8000',
          'prometheus.io/scheme': 'http',
          'prometheus.io/path': '/metrics',
        },
        podLabels: {
          'vector.dev/exclude': 'true',
        },
        resources: {
          limits: {},
        },
      },
      envoy: {
        resources: {
          limits: {},
        },
        service: {
          loadBalancerIP: this.staticIp?.address,
          annotations:
            this.staticIp?.address && this.staticIp?.aksReservedIpResourceGroup
              ? {
                  'service.beta.kubernetes.io/azure-load-balancer-resource-group':
                    this.staticIp?.aksReservedIpResourceGroup,
                }
              : undefined,
        },
        podAnnotations: {
          'prometheus.io/scrape': 'true',
          'prometheus.io/port': '8002',
          'prometheus.io/scheme': 'http',
          'prometheus.io/path': '/stats/prometheus',
        },
        autoscaling:
          options?.envoy?.replicas && options.envoy.replicas > 1
            ? {
                enabled: true,
                minReplicas: 1,
                maxReplicas: options.envoy.replicas,
              }
            : {},
      },
    };

    if (options.envoy?.cpu) {
      (chartValues.envoy!.resources!.limits as any).cpu = options.envoy.cpu;
    }

    if (options.envoy?.memory) {
      (chartValues.envoy!.resources!.limits as any).memory = options.envoy.memory;
    }

    const proxyController = new k8s.helm.v3.Chart('contour-proxy', {
      ...CONTOUR_CHART,
      namespace: ns.metadata.name,
      // https://github.com/bitnami/charts/tree/master/bitnami/contour
      values: chartValues,
    });

    this.lbService = proxyController.getResource('v1/Service', 'contour/contour-proxy-envoy');

    const contourDeployment = proxyController.getResource(
      'apps/v1/Deployment',
      'contour/contour-proxy-contour',
    );
    new k8s.policy.v1.PodDisruptionBudget('contour-pdb', {
      spec: {
        minAvailable: 1,
        selector: contourDeployment.spec.selector,
      },
    });

    const envoyDaemonset = proxyController.getResource(
      'apps/v1/ReplicaSet',
      'contour/contour-proxy-envoy',
    );
    new k8s.policy.v1.PodDisruptionBudget('envoy-pdb', {
      spec: {
        minAvailable: 1,
        selector: envoyDaemonset.spec.selector,
      },
    });

    new k8s.apiextensions.CustomResource(
      'secret-delegation',
      {
        apiVersion: 'projectcontour.io/v1',
        kind: 'TLSCertificateDelegation',
        metadata: {
          name: this.tlsSecretName,
          namespace: 'cert-manager',
        },
        spec: {
          delegations: [
            {
              secretName: this.tlsSecretName,
              targetNamespaces: ['*'],
            },
          ],
        },
      },
      {
        dependsOn: [this.lbService],
      },
    );

    return this;
  }

  get() {
    return this.lbService;
  }
}
Hello 2022-05-18 07:26:57 +00:00			`import * as k8s from '@pulumi/kubernetes';`
			`import { Output } from '@pulumi/pulumi';`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`import { ContourValues } from './contour.types';`
fix renovate config and extract versions from files under deployment dir (#1521) 2023-02-28 06:07:45 +00:00			`import { helmChart } from './helm';`
Hello 2022-05-18 07:26:57 +00:00
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`// prettier-ignore`
Revert "chore(deps): update helm release contour to v17.0.1" (#4335) 2024-03-25 14:27:18 +00:00			`export const CONTOUR_CHART = helmChart('https://charts.bitnami.com/bitnami', 'contour', '17.0.0');`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00
Hello 2022-05-18 07:26:57 +00:00			`export class Proxy {`
			`private lbService: Output<k8s.core.v1.Service> \| null = null;`

Adjustments to Pulumi code to support more pre-prod envs (#845) 2022-12-22 12:00:10 +00:00			`constructor(`
			`private tlsSecretName: string,`
			`private staticIp?: { address?: string; aksReservedIpResourceGroup?: string },`
			`) {}`
Hello 2022-05-18 07:26:57 +00:00
			`registerService(`
			`dns: { record: string; apex?: boolean },`
			`routes: {`
			`name: string;`
			`path: string;`
			`service: k8s.core.v1.Service;`
envoy - bump timeoutPolicy to 60s and retry twice on reset (#614) I updated the helm chart `7.8.0 -> 10.0.0` Whenever a request is dropped because of connection reset, we do a retry (max 2) now. The timeout (response) is higher `60s -> 15s` for all upstream routes. 2022-11-08 14:12:22 +00:00			`timeoutInSeconds?: number;`
Retry requests to /usage when it is not ready (#2792) 2023-09-04 07:41:06 +00:00			`retriable?: boolean;`
Hello 2022-05-18 07:26:57 +00:00			`customRewrite?: string;`
			`virtualHost?: Output<string>;`
			`httpsUpstream?: boolean;`
			`withWwwDomain?: boolean;`
Update dependency @theguild/prettier-config to v1 (#676) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Kamil Kisiela <kamil.kisiela@gmail.com> 2022-11-24 10:00:41 +00:00			`}[],`
Hello 2022-05-18 07:26:57 +00:00			`) {`
			const cert = new k8s.apiextensions.CustomResource(`cert-${dns.record}`, {
			`apiVersion: 'cert-manager.io/v1',`
			`kind: 'Certificate',`
			`metadata: {`
			`name: dns.record,`
			`},`
			`spec: {`
			`commonName: dns.record,`
			`dnsNames: [dns.record],`
			`issuerRef: {`
			`name: this.tlsSecretName,`
			`kind: 'ClusterIssuer',`
			`},`
			`secretName: dns.record,`
			`},`
			`});`

			`new k8s.apiextensions.CustomResource(`
			`httpproxy-${dns.record}`,
			`{`
			`apiVersion: 'projectcontour.io/v1',`
			`kind: 'HTTPProxy',`
			`metadata: {`
			name: `ingress-${dns.record}`,
			`},`
			`spec: {`
			`virtualhost: {`
			`fqdn: dns.record,`
			`tls: {`
			`secretName: dns.record,`
			`},`
			`corsPolicy: {`
$ prettier <all> (#46) Co-authored-by: Dimitri POSTOLOV <dmytropostolov@gmail.com> 2022-05-24 13:31:53 +00:00			`allowOrigin: ['https://app.graphql-hive.com', 'https://graphql-hive.com'],`
Hello 2022-05-18 07:26:57 +00:00			`allowMethods: ['GET', 'POST', 'OPTIONS'],`
			`allowHeaders: ['*'],`
			`exposeHeaders: ['*'],`
			`},`
			`},`
$ prettier <all> (#46) Co-authored-by: Dimitri POSTOLOV <dmytropostolov@gmail.com> 2022-05-24 13:31:53 +00:00			`routes: routes.map(route => ({`
Hello 2022-05-18 07:26:57 +00:00			`conditions: [`
			`{`
			`prefix: route.path,`
			`},`
			`],`
			`services: [`
			`{`
			`name: route.service.metadata.name,`
			`port: route.service.spec.ports[0].port,`
			`},`
			`],`
			`...(route.path === '/'`
			`? {}`
			`: {`
			`pathRewritePolicy: {`
			`replacePrefix: [`
			`{`
			`replacement: route.customRewrite \|\| '/',`
			`},`
			`],`
			`},`
envoy - bump timeoutPolicy to 60s and retry twice on reset (#614) I updated the helm chart `7.8.0 -> 10.0.0` Whenever a request is dropped because of connection reset, we do a retry (max 2) now. The timeout (response) is higher `60s -> 15s` for all upstream routes. 2022-11-08 14:12:22 +00:00			`...(route.timeoutInSeconds`
			`? {`
			`timeoutPolicy: {`
			response: `${route.timeoutInSeconds}s`,
			`},`
			`}`
			`: {}),`
Retry requests to /usage when it is not ready (#2792) 2023-09-04 07:41:06 +00:00			`...(route.retriable`
envoy - bump timeoutPolicy to 60s and retry twice on reset (#614) I updated the helm chart `7.8.0 -> 10.0.0` Whenever a request is dropped because of connection reset, we do a retry (max 2) now. The timeout (response) is higher `60s -> 15s` for all upstream routes. 2022-11-08 14:12:22 +00:00			`? {`
			`retryPolicy: {`
			`count: 2,`
Retry requests to /usage when it is not ready (#2792) 2023-09-04 07:41:06 +00:00			`retryOn: ['reset', 'retriable-status-codes'],`
			`retriableStatusCodes: [503],`
envoy - bump timeoutPolicy to 60s and retry twice on reset (#614) I updated the helm chart `7.8.0 -> 10.0.0` Whenever a request is dropped because of connection reset, we do a retry (max 2) now. The timeout (response) is higher `60s -> 15s` for all upstream routes. 2022-11-08 14:12:22 +00:00			`},`
			`}`
			`: {}),`
Hello 2022-05-18 07:26:57 +00:00			`}),`
			`})),`
			`},`
			`},`
			`{`
			`dependsOn: [cert, this.lbService!],`
Update dependency @theguild/prettier-config to v1 (#676) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Kamil Kisiela <kamil.kisiela@gmail.com> 2022-11-24 10:00:41 +00:00			`},`
Hello 2022-05-18 07:26:57 +00:00			`);`

			`return this;`
			`}`

Fix resource limits for envoy (#4346) 2024-03-26 08:18:00 +00:00			`deployProxy(options: {`
			`envoy: {`
			`replicas?: number;`
			`memory?: string;`
			`cpu?: string;`
			`};`
			`}) {`
Hello 2022-05-18 07:26:57 +00:00			`const ns = new k8s.core.v1.Namespace('contour', {`
			`metadata: {`
			`name: 'contour',`
			`},`
			`});`

Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`const chartValues: ContourValues = {`
			`configInline: {`
			`// https://projectcontour.io/docs/main/configuration/`
			`'accesslog-format': 'json',`
			`// https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage`
			`'json-fields': [`
			`'@timestamp',`
			`'bytes_received',`
			`'bytes_sent',`
			`'downstream_local_address',`
			`'duration',`
			`'method',`
			`'path',`
			`'request_id',`
			`'response_code',`
			`'response_flags',`
			`'upstream_cluster',`
			`'upstream_host',`
			`'upstream_service_time',`
			`'user_agent',`
			`'x_forwarded_for',`
			`],`
			`},`
			`contour: {`
			`podAnnotations: {`
			`'prometheus.io/scrape': 'true',`
			`'prometheus.io/port': '8000',`
			`'prometheus.io/scheme': 'http',`
			`'prometheus.io/path': '/metrics',`
Hello 2022-05-18 07:26:57 +00:00			`},`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`podLabels: {`
			`'vector.dev/exclude': 'true',`
Hello 2022-05-18 07:26:57 +00:00			`},`
Fix resource limits for envoy (#4346) 2024-03-26 08:18:00 +00:00			`resources: {`
			`limits: {},`
			`},`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`},`
			`envoy: {`
Fix resource limits for envoy (#4346) 2024-03-26 08:18:00 +00:00			`resources: {`
			`limits: {},`
			`},`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`service: {`
			`loadBalancerIP: this.staticIp?.address,`
			`annotations:`
			`this.staticIp?.address && this.staticIp?.aksReservedIpResourceGroup`
Hello 2022-05-18 07:26:57 +00:00			`? {`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`'service.beta.kubernetes.io/azure-load-balancer-resource-group':`
			`this.staticIp?.aksReservedIpResourceGroup,`
Hello 2022-05-18 07:26:57 +00:00			`}`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`: undefined,`
Hello 2022-05-18 07:26:57 +00:00			`},`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`podAnnotations: {`
			`'prometheus.io/scrape': 'true',`
			`'prometheus.io/port': '8002',`
			`'prometheus.io/scheme': 'http',`
			`'prometheus.io/path': '/stats/prometheus',`
			`},`
			`autoscaling:`
Fix resource limits for envoy (#4346) 2024-03-26 08:18:00 +00:00			`options?.envoy?.replicas && options.envoy.replicas > 1`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`? {`
			`enabled: true,`
			`minReplicas: 1,`
Fix resource limits for envoy (#4346) 2024-03-26 08:18:00 +00:00			`maxReplicas: options.envoy.replicas,`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`}`
			`: {},`
Hello 2022-05-18 07:26:57 +00:00			`},`
Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`};`

Fix resource limits for envoy (#4346) 2024-03-26 08:18:00 +00:00			`if (options.envoy?.cpu) {`
			`(chartValues.envoy!.resources!.limits as any).cpu = options.envoy.cpu;`
			`}`

			`if (options.envoy?.memory) {`
			`(chartValues.envoy!.resources!.limits as any).memory = options.envoy.memory;`
			`}`

Full type-safe for Helm charts in Pulumi deployment code (#4205) 2024-03-13 10:17:52 +00:00			`const proxyController = new k8s.helm.v3.Chart('contour-proxy', {`
			`...CONTOUR_CHART,`
			`namespace: ns.metadata.name,`
			`// https://github.com/bitnami/charts/tree/master/bitnami/contour`
			`values: chartValues,`
Hello 2022-05-18 07:26:57 +00:00			`});`

$ prettier <all> (#46) Co-authored-by: Dimitri POSTOLOV <dmytropostolov@gmail.com> 2022-05-24 13:31:53 +00:00			`this.lbService = proxyController.getResource('v1/Service', 'contour/contour-proxy-envoy');`
Hello 2022-05-18 07:26:57 +00:00
Update dependency @theguild/prettier-config to v1 (#676) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Kamil Kisiela <kamil.kisiela@gmail.com> 2022-11-24 10:00:41 +00:00			`const contourDeployment = proxyController.getResource(`
			`'apps/v1/Deployment',`
			`'contour/contour-proxy-contour',`
			`);`
Added missing PodDisruptionBudget, upgrade cert-manager to latest (#656) 2022-11-18 09:15:14 +00:00			`new k8s.policy.v1.PodDisruptionBudget('contour-pdb', {`
			`spec: {`
			`minAvailable: 1,`
			`selector: contourDeployment.spec.selector,`
			`},`
			`});`

Update dependency @theguild/prettier-config to v1 (#676) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Kamil Kisiela <kamil.kisiela@gmail.com> 2022-11-24 10:00:41 +00:00			`const envoyDaemonset = proxyController.getResource(`
			`'apps/v1/ReplicaSet',`
			`'contour/contour-proxy-envoy',`
			`);`
Added missing PodDisruptionBudget, upgrade cert-manager to latest (#656) 2022-11-18 09:15:14 +00:00			`new k8s.policy.v1.PodDisruptionBudget('envoy-pdb', {`
			`spec: {`
			`minAvailable: 1,`
			`selector: envoyDaemonset.spec.selector,`
			`},`
			`});`

Hello 2022-05-18 07:26:57 +00:00			`new k8s.apiextensions.CustomResource(`
			`'secret-delegation',`
			`{`
			`apiVersion: 'projectcontour.io/v1',`
			`kind: 'TLSCertificateDelegation',`
			`metadata: {`
			`name: this.tlsSecretName,`
			`namespace: 'cert-manager',`
			`},`
			`spec: {`
			`delegations: [`
			`{`
			`secretName: this.tlsSecretName,`
			`targetNamespaces: ['*'],`
			`},`
			`],`
			`},`
			`},`
			`{`
			`dependsOn: [this.lbService],`
Update dependency @theguild/prettier-config to v1 (#676) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Kamil Kisiela <kamil.kisiela@gmail.com> 2022-11-24 10:00:41 +00:00			`},`
Hello 2022-05-18 07:26:57 +00:00			`);`

			`return this;`
			`}`

			`get() {`
			`return this.lbService;`
			`}`
			`}`